+----------------------------------------------+ ADVISORY – jQuery Validate 1.6.0 Demo Code AFFECTED PACKAGES > jQuery Validate 1.6.0 > SilverStripe 2.3.X to 2.3.5 Discovered By CodeScan.com +----------------------------------------------+ Vendor's Website: http://bassistance.de/jquery-plugins/jquery-plugin-validation/ CodeScan Labs (www.codescan.com), has recently released a new source code scanning tool, CodeScan. CodeScan is an advanced auditing tool designed to check web application source code for security vulnerabilities. CodeScan utilises an intelligent source code parsing engine, traversing execution paths and tracking the flow of user supplied input. During the ongoing testing of CodeScan PHP, the jQuery.Validate demonstration code was discovered within another project. <<< CROSS SITE SCRIPTING THROUGH ECHO >>> XSS in [form.php], folder [demo]. (Full Path: $user = $_REQUEST['user']; $pw = $_REQUEST['password']; if($user && $pw && $pw == "foobar") echo "Hi $user, welcome back." <<< PROOF OF CONCEPT >>> http://[host]/validate/demo/form.php?user=%3Cscript%3Ealert%28%27Proof%20of%20Concept%27%29;%3C/script%3E&password=foobar <<< YES, WE REALISE THIS IS DEMO CODE >>> A simple Google search unearthed a number of results for the existence of this plugin/demo within SVN repositories, as well as on live web servers. Demo or not, it has been included in distributions (Such as SilverStripe) – and has been deployed in live environments. <<< RESPONSIBLE DISCLOSURE >>> We have attempted to make contact with the author of this plugin, to no avail. We successfully made contact with the SilverStripe team who promptly tidied up. Quick response, well done. <<< EXPLICIT RECCOMENDATIONS >>> SilverStripe Users: Upgrade to the latest version of SilverStripe (2.3.6 at time of writing), and ensure the file is deleted. Other Users: Chances are you do not need this file in your project, so delete the [form.php] file. Otherwise, ensure proper Sanitization. <<< CLOSING NOTES >>> You may be able to write secure code, but the code you get from third parties can put you at risk. Always review the code of third parties (including/especially plug ins) – not doing so puts you at unnecessary risk. -- This message has been scanned for viruses and dangerous content by Bizo EmailFilter, and is believed to be clean.